Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

access-list

Can anyone help me with keyword ESTABLISHED used in extended access-list.

Does that keyword transform a access-list to perform stateful inspection?

Thanks in Advance.

3 REPLIES
Silver

Re: access-list

The 'established' keyword lets packets with ACK or RST bits set to enter secured network. In other words, if a TCP session is initiated from the inside network to a host in un-trusted outside network, the packets coming from destination to source for that session will be allowed.

It is not really stateful inspection. For stateful inspection consider CBACs.

Hope this helps.

New Member

Re: access-list

Thanks for your time,

Still its unclear for me, does that means that without established keyword, its required to have a inbournd access-list as well to permit incoming traffic from untrusted network.

Silver

Re: access-list

Yes, you are right.

Without established, the returning packets will not be able to enter your interface. Usually, you will let everything go out from your site. But coming in, you will define ACL with established. Note, however, established wont allow active protocols like FTP to enter (as it is not inspecting packets). However, passive FTP should work fine.

Thanks.

95
Views
0
Helpful
3
Replies
CreatePlease to create content